3. SISA
Consulting
PCI DSS
•PCI QSA Validation Services
(PCI-DSS)
•PCI ASV Scanning Services
(PCI-DSS)
•PCI Assurance Services (SAQ)
PA DSS
•PA QSA Validation Services
(PA-DSS)
Advisory
•Risk Assessment (IS-RA)
•Privacy and Standards
Compliance (ISO 27001,
GLBA, HIPAA, DPA,
COBITFISMA, BS 25999)
•Application Pen Test and
Code Review
•Network VA and Pen Test
•Forensics
Training
•CPISI – PCI DSS
Implementation
•CISRA – Risk Assessment
Implementation
•OCTAVE (SEI-CMU) Security
Risk Assessment Workshop
•ISO 27001 Implementation
Workshop
•Business Continuity
Management Workshop
•Secure Coding in Dot-Net
•Awareness Sessions
Products
•SISA Security Assistant
Compliance Management
Tool for
•PCI DSS
•HIPAA
•FFIEC
•FISMA
•ISO 27001
•Application Security
4. •SISA Information Security Pvt Ltd, Asia
•SISA Information Security Inc., Americas
•SISA Information Security WLL, EMEA
Consulting– Training –Products
Customers in 25 Countries
About SISA
Our customers are some of the world’s biggest Banks,
Merchants, IT, BPOs and Telecoms
7. 1. Network Diagram
•Formal
•Comprehensive
2. Network Device
Administration
•Change Management
•Console Connections
•Remote Connections
3. Network Device
Maintenance:
•Business Justifications
•Firewall Rule Review
every 6 months
4. Placement of
Firewalls:
•Between Internet and
DMZ
•Between DMZ and
Internal Network
5. Configuration of
Firewalls:
•Stateful Inspection
•Filtering Traffic
between Internal and
External network
•NATting for internal IP
Addresses
8. 1. No Defaults
•Username:
administrator, system,
cisco, infosys
•Password: 0000,
1234
2. Wireless
Environments
•Change the default
WEP keys
•Change the default
passwords on access
points
3. Device
Configurations
•One primary function
per server
•Only required services
are enabled
•Systems are hardened
4. Admin access to
devices:
•Console access should
be authenticated
•Non-console access
should be strongly
encrypted. Eg. SSH
•No Telnet
9. 1. Storage
•Protect Stored Card
Number
•Do not store CVV or
Track Data
2. Retention Period
• Define business
period for
retention
•Review stored
cardholder data
every quarter
•Remove obsolete
data
3. Key Management
• Generate Strong keys
•Store keys securely
•Distribute keys securely
•Change keys at the end
of their lifetime
10. 1. Encrypt card
numbers sent over
the Internet,
Wireless networks,
GPRS, GSM
• SSH, SSL/TLS, IPSec
are acceptable
2. Never send
unprotected card
numbers over E-mail
or chat
11. 1. Scope
• All Windows systems
must have AV
2. AV should be
•On
•Updated
•Running periodic scans
• Getting automatic
updates
3. AV Logs
•At AV server end
•At AV client end
•Retained as per the 3
months-1 year rule
12. 1. Patch Management
•Latest patches on all
systems
•Deploy Critical patches in
30 days
•Risk Ranking
•Refer to external sources
for vulnerabilities
2. Application
Development
•Code Review
•Change Management
3. Custom Code
Should Address
• SQL Injection
•Buffer Overflow
•Cross Site Scripting
•Cross Site Request
Forgery, etc
4. Public Facing
Applications
•WAF or
•Application VA
annually
13. 1. Assigning Access to
CHD
•Job related need
•Approval mechanism for
access
2. Implementing
Access to CHD
• Automated access
control system
•Default deny-all setting
16. 1. Every system and
network
component has to
have logs
2. Things that must
be logged:
•Access to CHD
•Admin activities
•Access to logs
•Use of authentication
mechanisms
•Initialization of logs
•Creation/deletion of
system level objects
3. Log Retention
•3 months – 1 year rule
4. NTP
5. FIM on logs
17. 1. VA
•Internal VA
•External VA by an ASV
•Every quarter
2. PT
•Internal PT
•External PT
•Annually
3. Wireless Scans
4. IDS/IPS
5. FIM
High
Med
Low
20. Dates
•PCI DSS 3.0 will be published on 7 November
2013
•Version 3.0 becomes optional from 1 January
2014 onwards
•Version 2.0 will remain active until 31 December
2014
26. 1. Maintain a list of
service providers
and what services
they offer
2. Service providers
should maintain
their applicable PCI
Requirements
3. Risks pertaining to
service providers